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(54) Tide: CRYPTOGRAPHIC TECHNIQUE FOR PROVIDING FAST ENCRYPTION AND DECRYPTION AND FOR PRODUCING 
A MESSAGE AUTHENTICATION CODE 



(57) Abstract 

A cryptographic technique that provides fast and ex- 
tremely secure encryption and decryption, assures integrity of 
a ciphertext message and can be used to generate a message 
authentication code (MAC). This technique involves, during 
message encryption: generating, in response to an incoming 
plaintext message (410), an intermediate stream (420) - such 
as by chaining the message, wherein a predefined portion of 
the intermediate stream (422) defines a MAC; an encrypted 
version (445) of the MAC into a predefined portion of a ci- 
phertext message (451); and generating, in response to the 
intermediate stream and the encrypted MAC, a remainder 
of the ciphertext message such that the remainder exhibits 
a predefined, e.g., pseudo-random, variation which is also 
contained within the encrypted MAC. By extending a spe- 
cific pseudo-random sequence, as defined by the encrypted 
MAC, across the remainder of the ciphertext, any subsequent 
change to the ciphertext would likely destroy the continuity 
of this sequence that would otherwise reside throughout the 
remainder of the ciphertext. 
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CRYPTOGRAPHIC TECHNIQUE FOR PROVIDING FAST ENCRYPTION AND 
DECRYPTION AND FOR PRODUCING A MESSAGE AUTHENTICATION CODE 



BACKGROUND OF THE DISCLOSURE 

1. Field of the Invention 

The invention relates to cryptography , 
particularly a cryptographic technique that not only 
provides fast and extremely secure encryption and 
decryption but also assures integrity of a ciphertext 
message. Advantageously, this technique is particularly, 
though not exclusively, suited for use in real-time 
encryption and decryption of files, such as, but not 
limited to, those stored in a repository, e.g., a disk 
drive or other storage medium in a personal computer or 
server, or communicated through an insecure network. 
This technique can also be used to efficiently and 
rapidly generate a message authentication code (MAC) . 

2. Description of the Prior Art 

Over the centuries, for as long as information 
has been communicated between two individuals, the 
information has been susceptible to third-party 
interception, eavesdropping, compromise and/or 
corruption. Clearly, the problem of securely protecting 
information from such acts has existed for quite a long 
time . 
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Traditionally, this problem has been handled 

4- W , » ~U -4- ^- ^] ^ _ 1 _ _ 4- ~ ^ J_ 1 _ ._ J T . _ 

sophisticated cryptographic techniques. One class of 
these techniques involves the use of key based ciphers. 
5 In particular, through a key based cipher, sequences of 

intelligible data, i.e., plaintext, that collectively 
form a message are each mathematically transformed, 
through an enciphering algorithm, into seemingly 
unintelligible data, i.e., so-called ciphertext. Not 

10 only must the transformation be completely reversible, 

i.e., two way in the sense that the ciphertext must be 
invertable back to its corresponding original plaintext 
but also on a 1:1 basis, i.e., each element of plaintext 
can only be transformed into one and only one element of 

15 ciphertext. In addition, a particular cipher that 

generated any given ciphertext must be sufficiently 
secure from cryptanalysis . To provide a requisite level 
of security, a unique key is selected which defines only 
one unique corresponding cipher, i.e., precluding, to the 

20 extent possible, a situation where multiple differing 

keys each yields reversible transformations between the 
same plaintext-ciphertext correspondence. The strength 
of any cryptographic technique and hence the degree of 
protection it affords from third-party intrusion is 

25 directly proportional to the time required, by a 

third-party, to perform cryptanalysis, e.g., with a key 
based cipher to successfully convert the ciphertext into 
its corresponding plaintext without prior knowledge of 
the key. While no encryption technique is completely 

30 impervious from cryptanalysis, an immense number of 

calculations and an extremely long time interval required 
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therefor given the computing technology then available 
— required to break a cipher without prior knowledge of 
its key effectively renders many techniques, for all 
practical intents and purposes, sufficiently secure to 
warrant their widespread adoption and use. In that 
regard, as recently as a few years ago, if a cipher was 
of such complexity that it required on the order of 
man-years or more to break, in view of the state of the 
processing technology then available to do so, the 
underlying cryptographic technique was viewed by many as 
rendering a sufficient decree of security to warrant its 
use . 

However, computing technology continues to 
rapidly evolve. Processors, once unheard of just a few 
years ago in terms of their high levels of sophistication 
and speed, are becoming commercially available at ever 
decreasing prices. Consequently, processing systems, 
such as personal computers and workstations, that were 
previously viewed as not possessing sufficient processing 
power to break many so-called "secure" cryptographic 
ciphers are now, given their current power and 
sophistication, providing third parties with the 
necessary capability to effectively break those same 
ciphers. What may have taken years of continual 
computing a decade ago can now be accomplished in a very 
small fraction of that time. Hence, as technology 
evolves, the art of cryptography advances in lockstep in 
a continual effort to develop increasingly sophisticated 
cryptographic techniques that withstand correspondingly 
intensifying cryptanalysis . 
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Over the past few years, the Internet community 
has experienced explosive and exponential growth 
growth that, by many accounts, will only continue 
increasing. Given the vast and increasing magnitude of 
this community, both in terms of the number of individual 
users and web sites and sharply reduced costs associated 
with electronically communicating information, such as 
e-mail messages and electronic files, over the Internet 
between one user and another as well as between any 
individual client computer and a web server, electronic 
communication, rather than more traditional postal mail, 
is rapidly becoming a medium of choice for communicating 
information, whether it be, e.g., an e-mail message or a 
program update file. In that regard, the cost of sending 
an electronic file between computers located on opposite 
sides of the Earth is a very small fraction of the cost 
associated with storing that file on a diskette (or other 
media) and transporting that media between these 
locations even through the least expensive class of 
postal mail service. However, the Internet, being a 
publicly accessible network, is not secure and, in fact, 
has been and increasingly continues to be a target of a 
wide variety of attacks from various individuals and 
organizations intent on eavesdropping, intercepting 
and/or otherwise compromising or even corrupting message 
traffic flowing on the Internet or illicitly penetrating 
sites connected to the Internet. This security threat, 
in view of the increasing reliance placed on use of the 
Internet as a preferred medium of communication, 
exacerbates the efforts in the art, otherwise fostered by 
primarily continuing advances in computing power, to 
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develop increasingly strong cryptographic techniques that 
provide enhanced levels of security to electronic 
communication . 

However, encryption, by itself, provides no 
guarantee that a enciphered message can not be or has not 
been compromised during transmission or storage by a 
third party. Encryption does not assure integrity. An 
encrypted message could be intercepted and changed, even 
though it may be, in any instance, practically 
impossible, to cryptanalyze . In that regard, the third 
party could intercept, or otherwise improperly access, a 
ciphertext message, then substitute a predefined illicit 
ciphertext block (s) which that party, or someone else 
acting in concert with that party, has specifically 
devised for a corresponding block (s) in the message; and 
thereafter, transmit that resulting message with the 
substituted ciphertext block (s) onward to a destination 
— all without the knowledge of the eventual recipient of 
the message and to the eventual detriment of the original 
message sender and/or its recipient. For example, if the 
message involved a financial transaction between a 
purchaser and a seller, the substituted block could be an 
enciphered account number of the third party rather than 
that of the intended seller; hence, with an eventual 
effect of possibly illicitly diverting money originally 
destined to the seller to the third party instead. For a 
variety of reasons, messages carried over the Internet 
are vulnerable in this regard. 
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Detecting altered communication is not confined 
to Internet messages. with the burgeoning use of 
stand-alone personal computers, very often, an individual 
or business will store confidential or other information 
5 within the computer, such as on a hard-disk therein, with 

a desire to safeguard that information from illicit 
access and alteration by third-parties. Password 
controlled access -- which is commonly used to restrict 
access to a given computer and/or a specific file stored 

10 thereon — provides a certain, but rather rudimentary, 

form of file protection. Often users are cavalier about 
their passwords, either in terms of safeguarding their 
password from others or simply picking passwords that 
others can easily discern; thereby creating a security 

15 risk. Once password protection is circumvented by 

whatever means are used, a third party can access a 
stored file and then change it, with the owner of the 
file then being completely oblivious to any such change. 

20 Therefore, a need exists in the art for a 

cryptographic technique that not only provides an 
extremely high level of security against cryptanalysis, 
particularly given the sophistication and power of 
current and future processing technology, but also is 

25 capable of detecting a change made to a ciphertext 

message. Such a technique would find wide application, 
including, but not limited to use, in, e.g., secure file 
storage or safeguarding messages transmitted over an 
insecure network. 
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SUMMARY OF THE INVENTION 

Advantageously, our inventive cryptographic 
technique satisfies this need and overcomes the 
5 deficiencies in the art by, in accordance with our broad 

inventive teachings, during message encryption: 
generating, in response to an incoming plaintext message, 
an intermediate stream, wherein a predefined portion of 
the intermediate stream defines a message authentication 

10 code (MAC) ; inserting an encrypted version of the MAC 

into a predefined portion of a ciphertext message; and 
generating, in response to the intermediate stream and 
the encrypted MAC, a remainder of the ciphertext message 
such that the remainder exhibits a predefined variation, 

15 e.g., a pseudo-random sequence, also contained within the 

encrypted MAC. Decryption proceeds in essentially a 
reverse fashion to that of encryption. By virtue of 
extending a specific pseudo-random sequence, as defined 
by the encrypted MAC, across the remainder of the 

20 ciphertext, any subsequent change to the ciphertext 

would, in all likelihood, destroy the continuity of the 
pseudo-random sequence that would otherwise reside 
throughout the remainder of the ciphertext. Hence, 
during decryption, any preceding violation to the 

25 integrity of the ciphertext, i.e., changes made thereto, 

can be readily detected by decrypting the MAC contained 
in the ciphertext, eliminating the pseudo-random sequence 
from the ciphertext to yield an intermediate stream, 
recovering the plaintext from this intermediate stream, 

30 recreating (recovering) a MAC from the recovered 

plaintext and then comparing the recreated and decrypted 
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MACs for any discrepancy therebetween. Any such 
disCLepancy wGulu siynily LhaL Lhe ciphertext has been 
changed and so indicate that the recovered plaintext is 
invalid . 

5 

Specif ically, each block of a plaintext 
message, P, is first transformed, through, e.g., chaining 
using a forward cipher block chain (CBC) , to yield a 
corresponding block in an intermediate bit stream, Y, 

10 that is a function not only of that plaintext block but 

also of all the other preceding blocks in the plaintext 
message. Illustratively, two blocks in the intermediate 
bit stream, i.e., Y n -i and Y n , are concatenated together 
to form a 64 bit MAC (Y n -i,Y n ). The MAC is separately 

15 encrypted using conventional pseudo-random encryption, 

such as DES (data encryption standard) , to yield a 64-bit 
encrypted MAC ( Y n _i 1 , Y n ? ) . The remaining blocks, i.e., 
n-2 blocks, in the intermediate bit stream, i.e., Y 0 , 
. . . / Y n _2, are themselves chained together,/ in conjunction 

20 with the encrypted MAC as a "seed", to yield the lowest 

order n-2 ciphertext blocks in a ciphertext message, C, 
Through this chaining, the pseudo-random sequence 
inherent in the encrypted MAC is advantageously extended 
throughout the remainder of the ciphertext message. The 

25 encrypted MAC is then inserted into the ciphertext 

message as blocks n-1 and n. Decryption proceeds in a 
reverse fashion. 



30 



Furthermore, as noted, if the ciphertext 
message were to be tampered in some fashion such as, 
e.g., through substitution of an illicit ciphertext block 
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for an original ciphertext block, then the pseudo-random 
sequence, inherent in the encrypted MAC, would not longer 
extend throughout the remainder of the ciphertext. 
Consequently, the continuity of that particular sequence 
5 throughout all n-2 blocks in the ciphertext would be 

destroyed; in effect a different such sequence would 
arise. In that regard, the recovered MAC is affected, 
inversely, by whatever pseudo-random sequence (if any) 
then existed in the ciphertext when it is ultimately 

10 decrypted. In contrast, the MAC, that has been decrypted 

directly from the ciphertext, has determined the original 
pseudo-random sequence that was originally extended 
throughout the remainder of the ciphertext upon its 
creation . The slightest change in the ciphertext would 

15 cause a mismatch between these two MACs; thereby 

indicating that the ciphertext has been tampered. 

In particular, once the MAC has been decrypted, 
from the ciphertext message by, e.g., an inverse DES 
20 process, that MAC value is temporarily stored. After the 

plaintext message has been recovered, that particular 
plaintext message is then processed through a backward 

CBC to generate a recovered MAC, (Yn-\ > ^n) - T ^ e recovered 
MAC is then compared to the decrypted MAC. If the two 

25 identically match, then the ciphertext has not been 

altered; hence, the recovered plaintext generated 
therefrom is valid. However, if any discrepancy arises 
between the recovered and the decrypted MACs, then the 
contents of the ciphertext message have been modified; 

30 hence, the recovered plaintext obtained therefrom is 

invalid and should be ignored. 



1 
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As a feature of our specific inventive 
teachings, the pseudo-random bit sequence inherent in the 
encrypted MAC can be extended throughout the remaining 
n-2 blocks of the ciphertext message through various 
5 alternate techniques, such as, e.g., a stream cipher or a 

backward CBC. 

BRIEF DESCRIPTION OF THE DRAWINGS 

10 The teachings of the present invention can be 

readily understood by considering the following detailed 
description in conjunction with the accompanying 
drawings, in which: 

15 FIG. 1 depicts a diagram of an overall 

cryptographic process that incorporates the teachings of 
the present invention; 

FIG. 2 depicts a high-level block diagram of a 
20 typical Internet-based client-server processing 

environment that illustratively utilizes the present 
invention; 

FIG. 3 depicts a block diagram of client 
25 computer 100 shown in FIG. 2; 

FIG. 4A depicts a simplified high-level view of 
our inventive encryption process; 

FIG. 4B depicts a simplified high-level view of 
30 our inventive decryption process; 
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FIG . 5 depicts a flowchart of Encryption 
procedure 500 that forms part of application programs 130 
and is executed within, illustratively, client 
computer 100 shown in FIG. 2/ 

FIG. 6 depicts a flowchart of Encryption -- 
Backward CBC procedure 600 that can be substituted for 
Encryption Stream Cipher procedure 550 contained within 
Encryption procedure 500 shown in FIG. 5; 

FIG. 7 depicts the correct alignment of the 
drawing sheets for FIGs. 7A and 7B; 

FIGs. 7A and 7B collectively depict a flowchart 
of Decryption procedure 700 that forms part of 
application programs 130 and is executed within, 
illustratively, client computer 100 shown in FIG. 2; and 

FIG. 8 depicts a flowchart of Decryption — 
Backward CBC procedure 800 that can be substituted for 
Decryption Stream Cipher procedure 710 contained within 
Decryption procedure 700 shown in FIGs. 7A and 7B. 

To facilitate understanding, identical 
reference numerals have been used, where possible, to 
designate identical elements that are common to the 
figures. 
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DETAILED DESCRIPTION 

After considering the following description, 
those skilled in the art will clearly realize that the 
teachings of our present invention can be utilized in any 
one of an extremely wide range of applications where 
secure encryption of information is desired. Moreover, 
not only will use of our invention provide secure 
encryption but also it will permit a recipient of 
information to determine whether the integrity of the 
encrypted information has been violated from the time 
that information was encrypted to the time it reaches the 
recipient, at which the information will be subsequently 
decrypted and used. Information, in this instance and as 
the term will be used hereinafter, is defined as 
generically encompassing all information that can be 
stored digitally, regardless of its specific content, 
i.e., whether that information is executable program code 
or data of one form or another. For purposes of 
simplification, we will discuss our invention in the 
context of use in an client-server transaction processing 
environment where transaction messages are to be 
communicated over an insecure network, such as the 
Internet . 

A. Overview 

FIG. 1 depicts a diagram of an overall 
cryptographic process that incorporates the teachings of 
the present invention. As shown, incoming plaintext 
information 5, is organized into so-called "messages". 



r 
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Each such message, designated as P, appearing on input 
line 3 is organized as n + 1 blocks, with each block 
being 1 bits in width, which here 1 is illustratively 32 
bits. Each such plaintext block is encrypted, through 
5 our inventive cryptographic process as will be described 

in detail below in conjunction with FIGs. 4A, 5 and 7, 
into a corresponding block of ciphertext data 15. A 
ciphertext message, designated as C, is formed of n+1 
successive 32-bit blocks of ciphertext. Resulting 
10 ciphertext message C is then stored or transferred, 

through a given modality, e.g., a network communication 
channel, represented by dashed line 17, to a recipient 
location. Here, the ciphertext message is decrypted to 
yield recovered plaintext message 25 also denoted as 

A 

15 plaintext message P r which is identical in all aspects 

to original plaintext message P. In addition, our 
inventive decryption process, which will be discussed in 
detail below in conjunction with FIGs. 4B, 6 and 8, not 
only generates the recovered plaintext message, on 

20 line 22, but also provides an indication, on line 24, as 

to whether the integrity of ciphertext message C was 
violated, at some point during its carriage through 
channel 17/ hence, invalidating the recovered plaintext 
message. This indication, in turn, . is supplied to, e.g., 

25 a downstream processor (not specifically shown) to 

suitably instruct, e.g., an application program executing 
thereat, to ignore the recovered plaintext message. 
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B. Illustrative processing environment 

With the above in mind, consider FIG . 2 which 
depicts a high-level block diagram of client-server 
processing environment 50 that utilizes the present 
invention. 

As shown, this environment contains 
computer 200 which implements server 210, the latter 
illustratively being a web server, A number of 
individual remotely-located client computers, each being 
illustratively a personal computer (PC), of which only 
one such client, i.e., client computer 100, is 
specifically shown, is connected using appropriate 
communications channels, such as channels 140 and 160, 
through an insecure communications network, here shown as 
illustratively Internet 150, to computer 200. A user 
(not specifically shown) , stationed at client 
computer 100 and desirous of obtaining information from 
the server can invoke a corresponding client program at 
that computer. The client program forms one of a number 
of application programs 120 that collectively reside 
within and are executed by client computer 100. Though 
the client program is specifically shown as residing 
within the application programs, the former can also be 
implemented as a component, such as a web browser, of an 
operating system (O/S) , for example, of O/S 337 shown in 
FIG. 3. Server 210, shown in FIG. 2, can implement any 
of a wide variety of application functions including, for 
example, a commerce server, a banking server, an 
electronic mail or a file server. As to electronic 
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commerce, the user might desire to conduct a commercial 
transaction through server 210 that involves providing 
(as symbolized by line 110) information to the server, 
such as an account number of the user at a financial 
5 institution and payment instructions to transfer funds to 

a payee, or obtaining (as symbolized by line 135) 
information from the server, such as available account or 
credit balances of the user, which, in either event, is 
confidential to that user. Alternatively, server 210 may 

10 be a file server that provides the user with access to 

various files stored in a repository, any of which the 
user can download. Once such a file is downloaded, it 
can be stored within, e.g., local file store 339, 
situated within client computer 100 for local use 

15 thereat. However, any such file may contain proprietary 

and/or confidential information for which its owner 
desires to control user access. For example, such a file 
can be a self-installing executable file of an update for 
a given a program, for which its owner, e.g., a software 

20 manufacturer, desires to prevent illicit public access, 

i.e., preventing the update from being used by any 
individual who has not remitted appropriate payment for 
it. Server 210 itself may also provide confidential or 
proprietary information (as symbolized by line 215) from 

25 the user, via network 150, to downstream equipment (not 

specifically shown) for subsequent processing, or receive 
(as symbolized by line 218) confidential or proprietary 
information from downstream equipment for eventual 
transmission, via the network, to the. user. 
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Network 150, being illustratively the Internet, 
is susceptible to being compromiseci by a third-party. In 
that regard, the third party could intercept a 
conventionally enciphered message then being carried over 
the network and emanating from, e.g., client 
computer 100, for, e.g., an on-going financial 
transaction involving a user situated thereat. While the 
third party may not have sufficient resources either in 
terms of available processing capacity or time to break 
the conventional cipher used for encrypting messages and 
recover the plaintext inherent in the transmitted 
message, that party may nevertheless possess sufficient 
knowledge of the ciphertext message, specifically its 
structural organization, and equipment needed to 
successfully change that message to the detriment of the 
user. In that regard, the third party might illicitly 
tamper with the ciphertext message by substituting one or 
more predefined ciphertext blocks for corresponding 
original ciphertext blocks, and then transmit a resulting 
modified ciphertext message back onto the network for 
carriage to computer 200 for processing thereat. The 
contents of these predefined blocks might be carefully 
constructed by another individual who has requisite 
knowledge of the messaging itself, particularly its 
contents, utilized by server 210 and including the 
enciphering algorithm used thereby. That individual 
could construct appropriate plaintext blocks and then 
encipher these blocks using the enciphering algorithm to 
generate the predefined ciphertext blocks which, in turn, 
might then be supplied to the third-party for actual and 
subsequent substitution into the intercepted ciphertext 
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message. The predefined blocks might intentionally 
change the nature of the transaction to generate illicit 
gain (or other mischief) , such as by substituting a block 
containing a bank routing number and an account number of 
a payee with a x block containing a different bank routing 
number and/or different account number; hence, ultimately 
causing funds to be electronically diverted from the 
payee to another party. 

To safeguard the confidential or proprietary 
nature of the information, transiting over network 150 
between client computer 100 and computer 200, from 
third-party access, both the client program 130 and 
server 210 each utilize cryptographic communication 
through incorporation of inventive encryption 
procedure 500 and inventive decryption procedure 700 
therein. As such, messages destined for network carriage 
and generated by one network application peer, either 
client program 130 or server 210, are each encrypted by 
encryption procedure 500 therein to yield corresponding 
ciphertext messages, which, in turn, are then each 
transmitted over network 150 to the other network 
application peer. Similarly, ciphertext messages 
received, from the network, by each of the peers is 
decrypted by decryption procedure 700 therein to yield an 
appropriate recovered plaintext message. Encryption and 
decryption procedures 500 and 700 are inverse procedures 
of each other. 

Furthermore, through use of our inventive 
encryption and decryption processes in each network 
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application peer, that peer can not only provide secure 
c oiiuXfu iuCa lxO fi with iuS other ptsej_ buL can also detect 
whether any ciphertext message destined to it from the 
latter peer has been tampered, and if so, ignore that 
message. By doing so, our inventive technique 
advantageously effectively precludes a third-party from 
benefiting by tampering with transmitted ciphertext. 

C. Client Computer 100 

FIG. 3 depicts a block diagram of client 
computer (PC) 100 . 



As shown, client computer 100 comprises input 
15 interfaces (I/F) 320, processor 340, communications 

interface 350, memory 330 and output interfaces 360, all 
conventionally interconnected by bus 370. Memory 330, 
which generally includes different modalities, including 
illustratively random access memory (RAM) 332 for 
20 temporary data and instruction store, diskette 

drive (s) 334 for exchanging information, as per user 
command, with floppy diskettes, and non-volatile mass 
store 335 that is implemented through a hard disk, 
typically magnetic in nature. Mass store 335 may also 
25 contain a CD-ROM or other optical media reader (not 

specifically shown) (or writer) to read information from 
(and write information onto) suitable optical storage 
media. The mass store implements file 

store (repository) 339. In addition, mass store 335 also 
30 stores operating system (O/S) 337 and application 

programs 120; the latter illustratively containing client 



I 
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program 130 (see FIG. 2) which incorporates our inventive 
cryptographic technique. O/S 337, shown in FIG. 3, may 
be implemented by any conventional operating system, such 
as the WINDOWS NT operating system. Given that, we will 
5 not discuss any components of 0/S 337 as they are all 

irrelevant. Suffice it to say, that the client program, 
being one of application programs 120 , executes under 
control of the O/S. 

10 Advantageously, our present inventive 

cryptographic technique, when embedded for use within a 
client program requires no user interaction — other than 
to establish an appropriate key (as discussed below) and 
thus, in use, can be substantially, if not totally, 

15 transparent to the user. 

As shown in FIG. 3, incoming information can 
arise from two illustrative external sources: network 
supplied information, e.g., from the Internet and/or 

20 other networked facility, through network connection 140 

to communications interface 350, or from a dedicated 
input source, via path(es) 310, to input interfaces 320. 
Dedicated input can originate from a wide variety of 
sources, e.g., an external database. In addition, input 

25 information, in the form of files or specific content 

therein, can also be provided by inserting a diskette 
containing the information into diskette drive 334 from 
which computer 100, under user instruction, will access 
and read that information from the diskette. Input 

30 interfaces 320 contain appropriate circuitry to provide 

necessary and corresponding electrical connections 
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required to physically connect and interface each 
differing dedicated source of input information to 
computer system 100. Under control of the operating 
system, application programs 120 exchange commands and 
data with the external sources, via network 
connection 140 or path(es) 310, to transmit and receive 
information typically requested by a user during program 
execution . 

Input interfaces 320 also electrically connect 
and interface user input device 395, such as a keyboard 
and mouse, to computer system 100. Display 380, such as 
a conventional color monitor, and printer 385, such as a 
conventional laser printer, are connected, via leads 363 
and 367, respectively, to output interfaces 360. The 
output interfaces provide requisite circuitry to 
electrically connect and interface the display and 
printer to the computer system. As one can appreciate, 
our present inventive cryptographic technique can operate 
with any type of digital information regardless of the 
modalities through which client computer 100 will obtain 
that information, store and/or communicate that 
information . 

Furthermore, since the specific hardware 
components of computer system 100 as well as all aspects 
of the software stored within memory 335, apart from the 
modules that implement the present invention, are 
conventional and well-known, they will not be discussed 
in any further detail. Generally speaking, computer 200 
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has an architecture that is quite similar to that of 
client computer 100. 

D. Inventive Cryptographic Technique 

Through our present invention, a plaintext 
message can be securely encrypted and any violations of 
the integrity of a resulting ciphertext message readily 
detected by, during encryption: generating, in response 
to an incoming plaintext message, an intermediate stream, 
wherein a predefined portion of the intermediate stream 
defines a message authentication code (MAC) ; inserting an 
encrypted version of the MAC into a predefined portion of 
a ciphertext message; and generating, in response to the 
intermediate stream and the encrypted MAC, a remainder of 
the ciphertext message such that the remainder exhibits a 
predefined variation, e.g., a pseudo-random variation, 
also contained within the encrypted MAC. Decryption 
proceeds in essentially a reverse fashion to that of 
encryption. By virtue of extending a specific 
pseudo-random sequence, as defined by the encrypted MAC, 
across the remainder of the ciphertext, any subsequent 
change to the ciphertext would, in all likelihood, 
destroy the continuity of the pseudo-random sequence that 
would otherwise reside throughout the remainder of the 
ciphertext. Hence, during decryption any preceding 
violation to the integrity of the ciphertext can be 
readily detected by decrypting the MAC contained in the 
ciphertext, eliminating the pseudo-random variation from 
the ciphertext to yield an intermediate stream, 
recovering the plaintext from this intermediate stream, 
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recreating (recovering) a MAC from the recovered 
plaintext and then cumpdriuy the recreated and decrypted 
MACs for any discrepancy therebetween. Any such 
discrepancy would signify that the ciphertext has been 
changed and so indicate that the recovered plaintext is 
invalid.. 

Specifically, each block of a plaintext 
message, P, is first transformed, through, e.g., chaining 
using a forward cipher block chain (CBC) , to yield a 
corresponding block in an intermediate bit stream, Y, 
that is a function not only of that plaintext block but 
also of all the other preceding blocks in the plaintext 
message. Illustratively, two blocks in the intermediate 
bit stream, i.e., Y n -i and Y n , are concatenated together 
to form a 64-bit MAC (Y n -i,Y n ) (a comma separating 
successive values in parentheses is used hereinafter as 
an operator to denote concatenation of those values) . By 
chaining a plaintext message and defining the MAC as a 
predefined portion, e.g., (Yn-^Yn), of the ensuing 
chained message, the MAC can be generated rather quickly 
and efficiently. The MAC is separately encrypted using 
conventional pseudo-random encryption, such as DES (data 
encryption standard) , to yield a 64-bit encrypted MAC 
(Yn-i'jYn 1 ). The remaining blocks, i.e., n-2 blocks, in 
the intermediate bit stream, i.e., Y 0 , Y n - 2 / are 

themselves chained together, in conjunction with the 
encrypted MAC, to yield the lowest order n-2 ciphertext 
blocks in a ciphertext message, C. Through this 
chaining, the pseudo-random sequence inherent in the 
encrypted MAC is advantageously extended throughout the 
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remainder of the ciphertext message. The encrypted MAC 
is then inserted into the ciphertext message as 
blocks n-1 and n. Decryption proceeds in a reverse 
fashion . 

5 

Furthermore, as noted, if the ciphertext 
message were to be tampered in some fashion -- such as, 
e.g., through substitution of an illicit ciphertext block 
for an original ciphertext block, then the pseudo-random 

10 sequence, inherent in the encrypted MAC, would not longer 

extend throughout the remainder of the ciphertext. 
Consequently, the continuity of that particular sequence 
throughout all n-2 blocks in the ciphertext would be 
destroyed; in effect a different such sequence would 

15 arise. In that regard, the recovered MAC is affected, 

inversely, by whatever pseudo-random sequence (if any) 
then existed in the ciphertext when it is ultimately 
decrypted. In contrast, the MAC that has been decrypted 
directly from the ciphertext has determined the original 

20 pseudo-random sequence that was originally extended 

throughout the remainder of the ciphertext upon its 
creation. The slightest change in the ciphertext would 
cause a mismatch between these two MACs; thereby 
indicating that the ciphertext has been tampered. 

25 

In particular, once the MAC has been decrypted, 
from the ciphertext message by, e.g., an inverse DES 
process, that MAC value is temporarily stored. After the 
plaintext message has been recovered, that particular 
30 plaintext message is then processed through a backward 

CBC to generate a recreated (recovered) MAC, (Y n „\,Y n ). 
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The recovered MAC is then compared to the decrypted MAC. 
If the two identically match, then the ciphertext has not 
been altered; hence, the recovered plaintext generated 
therefrom is valid. However, if any discrepancy arises 
5 between the recovered and the decrypted MACs, then the 

contents of the ciphertext message have been modified; 
hence, the recovered plaintext obtained therefrom is 
invalid and should be ignored. 

10 In accordance with our specific inventive 

teachings, the pseudo-random bit sequence inherent in the 
encrypted MAC can be extended throughout the remaining 
n-2 blocks of the ciphertext message through various 
alternate techniques. In particular, through one 

15 illustrative technique, these n-2 ciphertext blocks can 

be generated by first processing the lowest order n-2 
bits of the intermediate bit stream, Y 0 , . . . , Y n - 2 / 
through a conventional stream cipher, using the encrypted 
MAC as a seed. The contents of each of the resulting n-2 

20 ciphertext blocks are then combined, preferably by 

exclusive-OR, with a corresponding block of the 
intermediate bit stream, to yield a corresponding one of 
the n-2 blocks of the ciphertext message. Alternatively, 
these n-2 ciphertext blocks can be generated by 

25 processing the lowest order n-2 bits of the intermediate 

bit stream through a backward CBC. 

With the above in mind and to facilitate reader 
understanding, we will discuss our inventive 
30 cryptographic technique, first in context of the 

cryptographic key and underlying mathematical functions, 
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25 



then a high-level overview of the encryption and 
decryption processes, and finally in the context of 
software modules, specifically Encryption procedure 500 
and Decryption procedure 700 (see, e.g., FIG. 2), that 
collectively implement these processes. 



operations performed by our inventive technique occur in 
a field of integers Z (mod p) , i.e., 0, 1, p-1, where 

p is a substantially large prime number. We define a 
key, within this field, as a concatenation of five 
integers, i.e., (a,b,c,d,e). In order to use our 
inventive cryptographic technique, the key will need to 
be supplied to both encryption and decryption procedures. 
Inasmuch as our technique relies on employing a single 
common key for encryption and decryption, then, if our 
technique is being used to encrypt messages for network 
transport, then the key will need to be communicated 
between the communicating peers in a secure fashion. Any 
one of a wide variety of schemes, such as, e.g., public 
key cryptography, can be used to so communicate the key. 
Inasmuch as the manner through which the key is so 
communicated is irrelevant to our invention, we will not 
address it in any further detail. 

We also define two illustratively linear 
functions using portions of the key, illustratively as 
given by equations (1) and (2) below: 



First, we assume that all mathematical 



F(x) =ax + b 



(1) 



and 



WO 99/55039 PCT/US99/0861 2 

-26- 

G (x) = cx -f- d ( 2 ) 

which, as will be seen below, will be used in conjunction 
5 with the CBCs. We have determined that our inventive 

cryptographic technique is secure with use of such linear 
functions. Hence, while our technique could be 
implemented with higher-order functions, e.g., quadratic 
functions, for ease of implementation and significantly 

10 reduced processing time, linear CBCs are preferred. In 

addition, the length of a message is n+1 blocks where 
n = 2m+l, where n and m are both integers within the 
field Z (mod p) ; with each such block containing 32 bits. 
The DES key, for MAC encryption and decryption, is 

15 illustratively defined as (a,b) . 

FIG. 4A depicts a simplified high-level view of 
our inventive encryption process 400. 

20 First, an incoming plaintext message, P having 

blocks P 0 , P n and denoted as message 410, is 

processed, as symbolized by line 415, through a forward 
CBC, to yield intermediate message Y, also denoted as 
message 420, formed of individual blocks Y 0 , Y n . The 

25 forward CBC is implemented through the following 

functions : 

For i = 0 : 



30 



Y 0 =F[eP 0 ] 
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For even i within n: 



Y i =F[(Y i ^) + eP i ] 



(4) 



For odd i within n: 



Y i =G[(Y i _ l ) + P t ] 



(5) 



Once the intermediate bit stream is fully 



10 



15 



20 



computed, illustratively the concatenated contents of the 
two highest order blocks, (Y n _i, Y n ) , collectively form 
MAC 422. These two blocks are then encrypted, as 
symbolized by line 423, illustratively using a 
conventional pseudo-random encryption algorithm, such as 
but not limited to DES, using (a,b) as the key, to yield 
encrypted MAC 445. This encryption algorithm is not 
limited to DES, but can in fact be any algorithm that 
yields a pseudo-random permutation. The resulting 
encrypted MAC (Y n -i', Y n ') is then applied as a seed to a 
conventional stream cipher algorithm, such as 
illustratively the RC4 algorithm. The stream cipher, SC, 
symbolized by line 432, produces n-2 ciphered blocks, S 0 , 
. .-, S n _2- The stream cipher extends a pseudo-random 
sequence in the two-block string of the encrypted MAC 
throughout the remaining n-2 blocks in the intermediate 
bit stream thereby yielding the ciphered stream, S also 
denoted as stream 4 35. For detailed information on 
stream ciphers, the reader is directed to: B. Schneier, 
Applied Cryptography , Second Edition, pages 197-198 
(© 1996, J. W. Wiley & Sons, Inc.); and Chapter 2 "Stream 
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Ciphers", pages 65-134 of G. J. Simmons (ed. ) 
Contemporary cryptology — The Science of Information 
Integrity (© 1992, IEEE Press); both of which are 
incorporated by reference herein. This n-2 block 
5 ciphered stream, appearing on line 437, is then combined, 

through exclusive-OR operation 440, on a corresponding 
block-by-block basis with the lowest order n-2 blocks in 
intermediate stream Y, appearing on line 427, to yield 
n-2 lowest order ciphertext blocks, C 0 , C n - 2 . The 

10 two concatenated blocks that form the encrypted MAC are 

then copied, as symbolized by line 449, into two highest 
order blocks 452 in the ciphertext message, i.e., C n -i and 
C n , to form, as output, a complete n+1 block ciphertext 
message, C also denoted as message 451. Though 

15 operation 440 is illustratively shown and described as 

being an exclusive-OR operation, generally speaking, this 
operation (as well as operation 470 shown in FIG. 4B) can 
be any conventional predetermined function that 
constitutes a "field operation". 

20 

As noted above and discussed in detail below, 
stream cipher procedure 430, which includes both the 
stream cipher and the exclusive-OR operations, can be 
replaced by a backward CBC. The backward CBC, as with 

25 the stream cipher, would extend the pseudo-random 

sequence in the encrypted MAC, which appears in the 
highest-order two blocks of the ciphertext message, 
across the remaining n-2 blocks in this message. The 
backward CBC would be implemented through 

30 equations (6) -(8) as follows: 
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For i = n-1: 

C n _ l =F[e-Y n _ l ] (6) 
For even i within 0 > i > n-1: 

Q=F[(Q + i) + e Y t ] (7) 
For odd i within 0 > i > n-1: 

Q=G[(C,+i) + Y i ] (8) 

FIG, 4B depicts a simplified high-level view of 
our inventive decryption process 450. 

Given incoming ciphertext message C, having 
blocks C 0/ C n and specifically message 451, first 

the contents of two highest-order blocks that form 
encrypted MAC 452 are extracted from the ciphertext 
message. These blocks are decrypted, as symbolized by 
line 4 58, by an inverse of the pseudo-random permutation 
algorithm used for encryption, e.g., inverse DES, with 

A A 

(a,b) as the key. The resulting decrypted MAC, (Y n -l 9 Y n ) 
and denoted as 473, is then stored for subsequent use. 
The entire ciphertext stream is applied, as symbolized by 
line 454, to stream cipher procedure 460 with the 
encrypted MAC being the seed. Within this procedure, the 
ciphertext stream is processed through a stream cipher, 
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being the same as that used in stream cipher 

procedure 430 (see FIG. 4A) tor encryption, to yield n-2 

A A 

stream ciphered blocks S, specifically blocks So , S n -2 
also denoted as blocks 465. These n-2 ciphered blocks, 
appearing on line 4 67, are then combined with the n-2 
lowest order ciphertext blocks C 0 , C n _ 2 , appearing on 

line 453, through exclusive-OR operation 470 on a 
corresponding block-by-block basis to yield, on line 472, 
n-2 lowest order blocks of recovered intermediate stream 

A A A 

Y, i.e., Y§ 9mmm9 Yn-2 • The two concatenated blocks , 

A A 

(Y n -\>Y n ) , that form the decrypted MAC are then copied, 
as symbolized by line 475, into two highest order blocks 

A 

4 82 to form a complete recovered intermediate stream, Y 
also denoted as 480. The entire recovered intermediate 
stream is processed, as symbolized by line 485, through a 
backward CBC, as given by equations (9) -(11) as follows, 

A 

to yield recovered plaintext message, P also denoted as 

A A 

4 90, namely P Q ,...,p n : 
For i = 0: 

?0 = F ~' [(?0)1 (9) 
e 
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For even i within n : 

£ -(?,-!)] (1Q) 

e 

For odd i within n: 

Pi=G' 1 [(Y i ) - ] (ID 

The recovered plaintext message is identical to the 
incoming plaintext message, P (see FIG. 4A) . 

In order to verify integrity of the ciphertext, 
the recovered plaintext message, as shown in FIG. 4B, is 
then subjected to a forward CBC, in the form given by 
equations (3) -(5) above and symbolized by line 492, to 

generate a new intermediate bit stream, Y , therefrom. A 
recreated (recovered) MAC, denoted as 493, is formed by 

concatenating the two highest-order blocks of stream Y , 

i.e., (7 W -1 5 Y n ) . The recovered MAC and the decrypted 

MAC, the latter appearing on line 478, are compared 
through comparison operation 4 95 to determine any 
discrepancies therebetween. If the values of these two 
MACs identically match, then the integrity of the 
ciphertext is confirmed — as symbolized by YES path 497; 
the recovered plaintext is valid. Alternatively, if any 
discrepancy whatsoever exists between these two values — 
as symbolized by NO path 498, the integrity of the 
ciphertext has been violated in some fashion from the 
time the ciphertext was first formed until its present 
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decryption; hence, the recovered plaintext message is 
invalid and is to be ignored. 



stream cipher procedure 4 60, which includes both the 
stream cipher and the exclusive-OR operations, can be 
replaced by a backward CBC, to yield n-2 blocks of the 
recovered intermediate bit stream. The backward CBC, as 
does the stream cipher, would remove the pseudo-random 
sequence in the two-block encrypted MAC, residing in the 
highest-order two blocks of the ciphertext message, from 
the rest of the ciphertext message and, by so doing, 



yield recovered intermediate bit stream Y. In this 
instance, the backward CBC would be implemented through 
equations (12) -(14) as follows: 

For i = n-1: 



As noted above and discussed in detail below, 



A 



Yn-l 



A 



(12) 



e 



For even i within 0 > i > n-1: 



y. _ F ~ l t (Q) - (£mV\ 



(13) 



e 



For odd i within 0 > i > n-1: 



Yi=G 1 [ (Q) - (C I+1 ) ] 



(14) 



We will now turn to describing flowcharts of 
the Encryption procedure 500 and Decryption procedure 7 00 
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that execute within, e.g., client computer 100 (see 
FIG. 2) to implement our present invention. 

FIG. 5 depicts a flowchart of Encryption 
procedure 500. 

Upon entry to this procedure, block 510 is 
first executed to calculate the value of a zero-th output 
block of intermediate stream, Y, as being equal to 
F(eP 0 )/ and a block counter, i, to the value one. 
Thereafter, execution enters Encryption - Forward CBC 
procedure 520 which, given the plaintext as input, 
computes the intermediate bit stream through a forward 
cipher block chain. In particular, execution first 
proceeds to block 525 which determines for block i in the 
plaintext stream, i.e., Pi, and block i-1 in the 
intermediate stream, i.e., Yj-i, the value of block i in 
the intermediate stream, Y ± , depending on whether the 
value of counter i is then even or odd, through the use 
of equations (4) or (5) above, respectively. Once the 
value of block Yi is so determined, execution proceeds to 
decision block 530. This decision block determines if 
all n+1 blocks in the intermediate bit stream have been 
generated. If any such block remains to be calculated, 
then decision block 530 routes execution, via NO 
path 534, to block 535. The latter block increments the 
block counter by one. Execution then loops back, via 
path 537, to block 525 to generate the value of the next 
block in the intermediate stream, and so forth. 
Alternatively, if all such blocks have been generated, 
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then decision block 530 routes execution, via YES 
path 532, ouL ul procedure 520 and to block 54U. 

Block 540, when executed, encrypts the contents 
of the two highest-order blocks in the intermediate 
stream, through a pseudo-random permutation to generate 
the encrypted MAC . Illustratively, as noted above, this 
encryption is accomplished through use of DES with (a,b) 
as the key. 

Once the encrypted MAC is produced, then 
execution proceeds to Encryption Stream Cipher 
procedure 550, and specifically first to block 555 
therein. Block 555 calculates a conventional stream 
cipher, illustratively the RC4 stream cipher, on the 
lowest order n-2 blocks of the intermediate bit stream 
using the encrypted MAC as the seed to the cipher. 
Execution then proceeds to block 560 which combines, 
through an exclusive-OR operation, each of the resulting 
n-2 ciphered blocks, S 0 , S„- 2 , with a corresponding 

block in the intermediate bit stream, Y 0 , Y n _ 2 , to 

yield the n-2 lowest order blocks of the ciphertext 
message, C. Once all these ciphertext blocks have been 
generated, execution proceeds to block 570 which, when 
executed, appends the concatenated two-block encrypted 
MAC into the ciphertext stream as the two highest order 
blocks therein, i.e., C n -i and C n , thereby forming the 
complete ciphertext message C. Thereafter, execution 
proceeds to block 580 which provides the complete 
ciphertext message, C, as output; thereafter, execution 
exits from procedure 500. 
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FIG. 6 depicts a flowchart of Encryption — 
Backward CBC procedure 600 that can be substituted for 
Encryption Stream Cipher procedure 550 in Encryption 
procedure 500 shown in FIG. 5. As discussed above, a 
backward CBC can be used, during encryption, in lieu of 
the stream cipher and exclusive-OR operations, to extend 
the pseudo-random sequence in the encrypted two-block 
MAC, that will appear in the highest-order two blocks of 
the ciphertext message, across the remaining blocks of 
this message. 

Upon entry to this procedure, block 610 is 
first executed to calculate the value of a n-th output 
block of ciphertext stream, C n , as being equal to F(eY n ), 
and initialize a block counter, i, to a value n-1. 
Thereafter, given the intermediate bit stream, Y, as 
input, block 620 determines for block i in the 
intermediate bit stream, i.e., Yi, and the value of 
block i+1 in the ciphertext stream, i.e., C i+1 , the value 
of the corresponding block in the ciphertext stream, C±, 
depending on whether the value of counter i is then even 
or odd, through the use of equations (7) or (8) above, 
respectively. Once the value of block Ci is so 
determined, execution proceeds to decision block 630. 
This decision block determines if all n-1 blocks in the 
ciphertext bit stream have been generated. If any such 
block remains to be calculated, then decision block 630 
routes execution, via NO path 633, to block 640. The 
latter block decrements the block counter by one. 
Execution then loops back, via path 645, to block 620 to 
generate the value of the next block in the ciphertext 
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stream, and so forth. Alternatively, if all such blocks 
have been generated, then execution exits from 
procedure 600, via YES path 637 emanating from decision 
block 630. 

FIGs. 7A and 7B collectively depict a flowchart 
of Decryption procedure 700; the correct alignment of the 
drawing sheets for these figures is shown in FIG. 7. 

Upon entry to this procedure, block 705 is 
first executed to decrypt the encrypted MAC, i.e., 
(Y n -i ' , Y n ' ) / residing in the two highest-order blocks, 
i.e., C n -i and C n , of incoming ciphertext message C. The 
decryption algorithm used is an inverse pseudo-random 
permutation of that which created the encrypted MAC, 
e.g., an inverse DES, with (a,b) used as the key. The 

a a 

resulting decrypted MAC, (Y n -\,Y n ), is then stored for 
subsequent use. Thereafter, execution proceeds to 
Decryption Stream Cipher procedure 710 and specifically 
first to block 715 therein. Block 715 calculates the 
same conventional stream cipher used in Encryption 
procedure 500, illustratively the RC4 stream cipher, on 
the lowest order n-2 blocks of the incoming ciphertext 
message using the encrypted MAC as the seed to the 
cipher. Execution then proceeds to block 720 which 
combines, through an exclusive-OR operation, each of the 
resulting n-2 ciphered blocks, S 0 , S n _ 2 , with a 

corresponding block in the incoming ciphertext bit 
stream, C 0 , C n _ 2 , to yield n-2 lowest order blocks of 
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A 

the recovered intermediate bit stream, Y . Once all the 
blocks in the intermediate bit stream have been 
generated, execution proceeds to block 730 which, when 
executed, appends the concatenated two-block decrypted 
MAC, into the recovered intermediate bit stream as the 

A A 

two highest order blocks therein, i.e., (Y n —\ 9 Y n ) f 
thereby forming the complete recovered intermediate bit 

A 

stream Y . 

Execution then proceeds to Decryption — 
Backward CBC procedure 740 which, given the recovered 
intermediate bit stream as input, computes the recovered 

A. 

plaintext message, P , through a backward CBC. In 
particular, execution first proceeds to block 745 which 
initializes the value of block counter i to the value n. 
Thereafter, block 750 executes to determine, for 
blocks i-1 and i in the recovered intermediate bit stream 

A A 

plaintext message, i.e., Yj and Yi—\, the value for 

A 

block i in the recovered plaintext message, i.e., Pj , 
depending on whether the value of counter i is then even 
or odd, through the use of equations (10) or (11) above, 
respectively. Once the value of this block is so 
determined, execution proceeds to decision block 760. 
This decision block determines if all n+1 blocks in the 
recovered plaintext message have been generated. If any 
such block remains to be calculated, then decision 
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block 760 routes execution, via NO path 762, to 
block 765, The latter block decrements the block counter 
by one. Execution then loops back, via path 766, to 
block 760 to generate the value of the next block in 
5 the recovered plaintext message, and so forth. 

Alternatively, if all such blocks have been generated, 
then decision block 760 routes execution, via YES 
path 764, to block 767. This latter block determines the 
value of a zero-th output block of the recovered 
10 plaintext message in accordance with equation (9) above. 

Once this block is so determined, execution proceeds from 
procedure 740 to blocks 770-790 which collectively verify 
and confirm the integrity of the ciphertext message or 
indicate an integrity violation. 

15 

Block 770, when executed, subjects the 
recovered plaintext message to a forward CBC, as given by 
equations (3) -(5) above, to generate a new intermediate 

bit stream, Y , and specifically, within that stream, a 
20 recovered MAC. This block forms the recovered MAC by 

concatenating the two highest-order blocks of stream Y , 

i.e., (l^-i^ Y n ) . Once the recovered MAC is so formed, 

execution proceeds to decision block 775 which tests for 
any discrepancies between the recovered MAC and the 

A A 

25 decrypted MAC, the latter being {Y n -\ ,7 n ) . If decision 

block 775 determines that the values of these two MACs 
identically match, then the integrity of the ciphertext 
is confirmed. Hence, execution proceeds, via YES 
path 776, to block 780. This latter block provides the 
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recovered plaintext message as output along with an 
indication confirming its integrity. Alternatively, if 
any discrepancy whatsoever exists between the values of 
these two MACs, then the integrity of the ciphertext, C, 
has been violated in some fashion. Consequently, in this 
case, decision block 775 routes execution, via NO 
path 778, to block 790. This latter block, when 
executed, provides an error message indicating . that the 
integrity of the ciphertext has been compromised and 
hence the recovered plaintext is invalid. Once block 780 
or 790 fully executes, execution exits, via path 795, 
from procedure 700. 

FIG. 8 depicts a flowchart of Decryption — 
Backward CBC procedure 800 that can be substituted for 
Decryption Stream Cipher procedure 710 contained within 
Decryption procedure 700 shown in FIGs. 7A and 7B. As 
discussed above, a backward CBC can be used, during 
decryption, in lieu of the stream cipher and exclusive-OR 
operations, to generate n-2 lowest order blocks of the 
intermediate bit stream which does not contain the 
pseudo-random sequence that has been extended, during 
encryption, from the highest-order two blocks of the 
ciphertext message into the remainder of that message. 

Upon entry to this procedure as shown in 
FIG. 8, block 810 is first executed to initialize a block 
counter (i) to zero. Thereafter, given the ciphertext 
stream, C, as input, block 820 determines for blocks i-1 
and i in the ciphertext bit stream, i.e., C±- 1 and Ci, the 
value of block i in the recovered intermediate bit 
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— t - *■ f IT — • » «g . . * * w _l- v_xa\—Xi. V Cll W J- \»> V«4\_A , 

through the use of equations (13) or (14) above, 

A 

respectively. Once the value of block Yi is so 
determined, execution proceeds to decision block 830. 
5 This decision block determines if all n-1 blocks in the 

recovered intermediate bit stream have been generated. 
If any such block remains to be calculated, then decision 
block 830 routes execution, via NO path 833, to 
block 840. The latter block decrements the block counter 

10 by one. Execution then loops back, via path 845, to 

block 820 to generate the value of the next block in 
the recovered intermediate bit stream, and so forth. 
Alternatively, if all such blocks have been generated, 
then decision block 830 directs execution, via YES 

15 path 837, to block 850. This latter block calculates the 

value of the n-th block of the recovered intermediate bit 
stream through use of equation (12) . Once block 850 has 
executed, execution then exits from procedure 800. 

20 • As one variant of our invention, the term "e" 

can be replaced in certain applications by e (( z/2 ) +1 ) or 
the value 1, where, e.g., for even i within n, the 
following equation can be used in lieu of equation (4) 
above: 

25 Yi=F[(Y^i) + e&'V+V-Pi ] (15) 
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Consequently , the term "e" appearing in various equations 

above can be generalized as e a , where a equals 0, 1 or 
( (i/2)+l) . 

5 Furthermore, though the functions F(xj) and 

G(jc/) are alternatively employed based on the value of i, 
i.e., whether its current value is even or odd, both 
functions, in another variant of our present invention, 
can be used together for each i greater than zero. 
10 Consider an encryption key being composed of (a,b,c,d) 

(though without e) with, as discussed above, 

F(jc) =ax + b (16) 

15 and G(x)=cx + d. (17) 

Let Y = Y 0 , Yi, . . . , Y n , as previously, but with 

^0=^(^0) and (18) 

Yi=F[Yi-\ + />/] for all n > i > 0. (19) 

Let K = K 0/ Ki, . . . , K n with 



20 



25 Kq=G(Pq) ; and (20) 

for n > i > 0 



Ki=G[Ki_i +P f ]. 



(21) 
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The highest order block of the MAC becomes Y n = K n with 
the remaining block of the MAC being given by 
equation (22) below: 

n 

Y n-\ = Y K k - (22) 
k=Q 

Since the manner through which the inventive technique 
shown in FIGs . 4A and 4B and in detailed form in 
FIGs. 5-8 would be modified to utilize either of these 
variants should be readily apparent to anyone skilled in 
the art, we will not discuss either of these variants any 
further . 

Also, those skilled in the art will realize 
that although the present invention has been described in 
terms of using 32-bit blocks, 64-bit blocks can be used 
instead and through the same methodology set forth above. 
Disadvantageously, 64-bit multiplications require four 
times the processing time to compute than do 32-bit 
multiplications. Nevertheless, with 64-bit blocks, the 
DES key, i.e., (a,b), will consist of a single block 
thereby providing a measure of programming simplification 
— but which is unlikely to outweigh the four-fold 
increase in processing time. 

In addition, though the MAC (and encrypted MAC) 
has been described as being 64 bits in length, i.e., two 
32-bit blocks, MACs of other bit (and block) sizes, such 
as a single 32-bit block or more than 64 bits long (but 
sized in integer blocks) may be used instead. Larger 
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MACs provide greater levels of encryption, to the extent 
it is warranted, though at a likely cost of increased 
processing time to encrypt and decrypt the MAC. 

5 In particular, though the block size (1) is 

preferably set at 32 bits, the size of the MAC can be 
readily increased from 64 bits (21) to 96 bits (31) . To 
do so, rather than applying each block of a plaintext 
message, P (i.e., P 0 , Pi, P n ) , directly as input to 

10 our inventive technique, as described above, that block 

could be processed through a predefined chaining 
operation to yield a chained plaintext message P 1 . 
Illustratively, for any input block x ± where i = 0, 1, 
... n, this chaining operation could be implemented as 

15 given by equation (24) below: 

Yi=H[xi + (23) 

where: f and g are also integers and an encryption key is 
20 defined by (a, b, c, d, e, f , g) within the field Z (mod p) and 

H(x)=fx + g. (24) 

The chained plaintext message P 1 would then be applied, 
25 rather than plaintext message P, as input to our 

inventive technique. A 96-bit MAC would be formed by 
appending the value of block n (i.e., P n f ) of the chained 
message as a 32-bit MAC to the 64-bit MAC (i.e., 
(Y n -i,Y n )) produced by the inventive technique to yield a 
30 96-bit MAC (i.e., (Y n . lf Y n , P n '). The resulting 96-bit MAC 
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would then be encrypted, as described above, through 
conventional pseudo-random encryption and then inserted 
as appropriate high order blocks into an output 
ciphertext message. Even longer MACs can be generated in 
a similar fashion by processing an input message through 
multiple chaining operations in succession and then 
appending all the ensuing individual MACs that are so 
generated to the 64-bit MAC generated by our present 
inventive technique. Consequently, "plaintext", as it 
relates to the data that is directly applied as input to 
our inventive technique, collectively encompasses any 
such data regardless of whether it is an actual plaintext 
message itself or a chained plaintext message. 

Although various embodiments which incorporate 
the teachings of the present invention have been shown 
and described in detail herein, those skilled in the art 
can readily devise many other embodiments that still 
utilize these teachings. 
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We claim: 



1 1. A method of encrypting a plaintext message into a 

2 ciphertext message such that, in response to contents of 

3 the ciphertext message itself, a subsequent violation to 

4 integrity of the ciphertext message can be detected, the 

5 method comprising the steps of: 

6 generating, in response to the plaintext message, an 

7 intermediate stream, a predefined portion of the 

8 intermediate stream defining a message authentication 

9 code (MAC) ; 

10 inserting an encrypted version of the MAC into a 

11 predefined portion of the ciphertext message; and 

12 generating, in response to the intermediate stream 

13 and the encrypted MAC, a remainder of the ciphertext 

14 message such that the remainder exhibits a predefined 

15 variation contained within the encrypted MAC . 

1 2. The method of claim 1 further comprising the steps 

2 of: 

3 transforming the plaintext message through a first 

4 predefined chaining function into the intermediate 

5 stream; 

6 encrypting the predefined portion of the 

7 intermediate stream, through a predetermined 

8 pseudo-random permutation, into the encrypted MAC; 

9 inserting the encrypted MAC into the predefined 

10 portion of the ciphertext message; and 

11 constructing the remainder of the ciphertext message 

12 through a second predefined chaining function and in 

13 response to both the remainder of the intermediate stream 
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14 and the encrypted MAC such that a pseudo-random sequence 

15 in the encrypted MAC, the sequence being said predefined 

16 variation, extends throughout the remainder of the 

17 ciphertext message. 

1 3. The method in claim 2 wherein the first predefined 

2 chaining function comprises a first cyclic block cipher 

3 (CBC) . 

1 4 . The method in claim 3 wherein the first cyclic block 

2 cipher is a forward CBC. 

1 5. The method in claim 4 wherein the forward CBC is 

2 calculated according to the following equations: 

3 for i = 0: Yq = F [ e a • P 0 ], 

4 for even i within n: Y\ = F [ ) + e a • Pj ] and 

5 for odd i within n: Y t = G [ ) + P t ] 

6 where: P 0 and P ± represent blocks zero and i within the 

7 plaintext message (P) , respectively, Y 0 and Y± represent 

8 blocks zero and i within the intermediate stream, 

9 respectively, the plaintext message having n+1 blocks and 

10 with 0 > i > n; and functions F and G are defined by the 

11 following equations: 

12 F(x)=ax + b; and 

13 G (x) =cx + d 

14 where: a, b, c, d and e are each a predefined integer 

15 value, and a equals 0, 1 or ((i/2)+l). 
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1 6. The method in claim 4 wherein the forward CBC is 

2 calculated according to the following equations, where K 

3 is a second intermediate stream having n+1 blocks, Kj.: 

4 for i = 0: 

5 Y 0 =F[P 0 ) 

6 K 0 =G[P 0 ] 

7 for all i, n > i > 0: 

8 Yi=F[(Yi-i) + Pi ]; and 

9 tf/-G[(*/-i)+ Pi]: 

10 where: 

11 Y n =K„; and 

n 

12 = Y K k f and 

13 where': P 0 and Pi represent blocks zero and i within 

14 the plaintext message (P), respectively; Y 0 , Yi and Y n 

15 represent blocks zero, i and n within the intermediate 

16 stream, respectively; and K 0 , K± and K n represent 

17 blocks 0, i and n within the second intermediate stream, 

18 respectively; and functions F and G are defined by the 

19 following equations: 

20 F(x) =ax + b ; and 

21 G (x) = cx + d ; 

22 with a, b, c and d each being a predefined integer value. 

1 7. The method in claim 2 wherein the second predefined 

2 chaining function comprises either a stream cipher 

3 procedure or a second cyclic block cipher (CBC) . 
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8. The method in claim 8 wherein the second cyclic 
block cipher is a backward CBC. 

9. The method in claim 8 wherein the backward CBC is 
calculated according to the following equations: 

for i = n-1: C n ^\ = F [ e a • Y n ^\ ] , 

for even i within 0 > i > n-1: C, = F [ (Q+i ) + e a Y / ] 

and 

for odd i within 0 > i > n-1: C/ = G [ (Q+i ) + Y / ] 
where: C± and C n _i represent i^ and n-1^ blocks within the 
ciphertext message (C) , respectively, Y n and Y± represent 
n th and iSh blocks within the intermediate stream, 
respectively, the ciphertext message having n+1 blocks 
and 0 > i > n; and functions F and G are defined by the 
following equations : 

F(x) =ax + b ; and 

G (x) =cx + d 

where: a, b, c, d and e are each a predefined integer 
value, and a equals 0, 1 or ((i/2)+l). 

10. The method in claim 4 wherein the constructing step 
further comprises the steps, provided through the stream 
cipher procedure of: 

generating a cipher stream through a predefined 
stream cipher function in response to both the 
intermediate stream and, as a seed to the stream cipher 
function, the encrypted MAC; and 
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8 combining, through a predetermined function, each 

9 different block of the cipher stream with a corresponding 

10 different block of the intermediate stream so as to yield 

11 a corresponding different one of the blocks of the 

12 remainder of the ciphertext message. 

1 11. The method in claim 2 wherein encrypting step 

2 comprises the step of generating the encrypted MAC 

3 through use of DES (data encryption standard) . 

1 12. A computer readable medium having computer 

2 executable instructions stored therein for performing the 

3 steps of claim 1. 

1 13. A method of decrypting a ciphertext message into a 

2 recovered plaintext message and detecting whether 

3 integrity of the ciphertext message has been violated, 

4 the method comprising the steps of: 

5 decrypting the ciphertext message into a recovered 

6 plaintext message comprising the steps of: 

7 removing, in response to an encrypted message 

8 authentication code contained in a predefined portion of 

9 the ciphertext message, a predefined variation from a 

10 remainder of the ciphertext message so as to yield an 

11 intermediate stream, the variation also being contained 

12 within the encrypted MAC; and 

13 determining the recovered plaintext message, as 

14 a predefined function of the intermediate stream and a 

15 decrypted version of the encrypted MAC; and 

16 determining whether the integrity of the ciphertext 

17 message has been violated comprising the steps of: 
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18 generating, in response to the recovered 

19 plaintext message, a recovered MAC therefrom; and 

20 comparing the values of the recovered MAC and 

21 the decrypted MAC so as to determine any discrepancy 

22 therebetween, whereby said discrepancy indicates that the 

23 ciphertext message has been altered prior to its 
2 4 decryption. 

1 14. The method of claim 13 wherein the intermediate 

2 stream has a predefined portion and a remainder and the 

3 decrypting step further comprises the steps of: 

4 decrypting the predefined portion of the 

5 ciphertext message, through a predetermined inverse 

6 pseudo-random permutation, so as to yield the decrypted 

7 MAC; 

8 constructing the remainder of the intermediate 

9 stream, through a first predefined chaining function and 

10 in response to both the ciphertext stream and the 

11 encrypted MAC, such that a pseudo-random sequence in the 

12 encrypted MAC has been removed from the remainder of the 

13 intermediate stream, the sequence being said predefined 

14 variation; 

15 inserting the decrypted MAC into the predefined 

16 portion of the intermediate stream; and 

17 transforming the intermediate stream, through a 

18 second predefined chaining function, so as to yield the 

19 recovered plaintext message; and 

20 the determining step further comprises the step of 

21 ascertaining, through a third predefined chaining 

22 function and in response to the recovered plaintext 

23 message, the recovered MAC therefrom. 
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1 15. The method in claim 14 wherein the first predefined 

2 chaining function comprises either a first cyclic block 

3 cipher (CBC) or a stream cipher. 

1 16. The method in claim 15 wherein the first cyclic 

2 block cipher is a backward CBC. 

1 17. The method in claim 16 wherein the backward CBC is 

2 calculated according to the following equations: 

3 for i — n-1: / M _i — 

a 

e 

4 for even i within 0 > i > n-1: 

^ _1 [(Q) - (c /+ i) ] 



A zr— 1 



5 Yi 



a 

e 



A -1 

For odd i within 0 > i > n-1: Y j = G 1 [ (Q) - (Q+i ) ] 



7 where: Y n ~l and Yi represent n-1— and i— blocks within 

A 

8 the intermediate stream (Y), respectively, Ci and Ci+i 

9 represent i— and i+1— blocks within the ciphertext 

10 message, respectively, the ciphertext message having n+1 

11 blocks and with 0 > i > n; and functions F and G are 

12 defined by the following equations: 

13 F (jc) — ax + b ; and 

14 G (x) = cx + d 

15 where: a, b, c, d and e are each a predefined integer 

16 value, and a equals 0, 1 or ((i/2)+l). 
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1 18. The method in claim 14 wherein the second predefined 

2 chaining function comprises a second cyclic block cipher 

3 (CBC) . 

1 19. The method in claim 18 wherein the second cyclic 

2 block cipher is a backward CBC. 

1 20. The method in claim 19 wherein the backward CBC is 

2 calculated according to the following equations: 

3 For i - 0: P 0 . £±iZ2U 

e a 

A —I A A 

4 For even i within n: P/=— ~ ^ Yi " 1 ) ^ 

a 

e 

A A A 

5 For odd i within n: P/=G [ ( K/ ) - (y z _i)] 

A A A 

6 where: Yq , Yi~\ and 7/ represent zero, i-1— and i— 

A 

7 blocks within the intermediate stream (Y ) , respectively, 

A A 

8 P Q and Pj represent zero and i— blocks within the 

A 

9 recovered plaintext message ( P ) , respectively, the 

10 plaintext message having n+1 blocks and 0 > i > n; and 

11 functions F and G are defined by the following equations: 

12 F(x)=ax + b; and 

13 G(x) =cx + d 

14 where: a, b, c, d and e are each a predefined integer 

15 value, and a equals 0, 1 or ((i/2)+l). 
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1 21. The method in claim 16 wherein the constructing step 

2 further comprises the steps, provided through the stream 

3 cipher procedure of: 

4 generating a cipher stream through a predefined 

5 stream cipher function in response to both the ciphertext 

6 message and, as a seed to the stream cipher function, the 

7 encrypted MAC; and 

8 combining, through a predetermined function, each 

9 different block of the cipher stream with a corresponding 

10 different block of the ciphertext message so as to yield 

11 a corresponding different one of the blocks of the 

12 remainder of the intermediate stream. 

1 22. The method in claims 10 or 21 wherein the 

2 predetermined function is an exclusive-OR operation. 

1 23. The method in claims 10 or 21 wherein the predefined 

2 stream cipher function is an RC4 stream cipher. 

1 24. The method in claim 14 wherein decrypting step 

2 comprises the step of generating the decrypted MAC 

3 through use of an inverse DES (data encryption standard) . 

1 25. The method in claim 14 wherein the third predefined 

2 chaining function comprises a first cyclic block cipher 

3 (CBC) . 



1 
2 



26. The method in claim 25 wherein the first cyclic 
block cipher is a forward CBC. 
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1 27. The method in claim 26 wherein the forward CBC is 

2 calculated according to the following equations: 

A 

3 for i = 0: Yq = F[ ePQ ] , 

_ _ A 

4 for even i within n: Yf = F [ (J/— i ) + e* P( ] and 

_ _ A 

5 for odd i within n: Yj = G [ ) + P f - ] 

6 where: P 0 and Pi represent blocks zero and i within the 

7 plaintext message (P) , respectively , Yq and 

8 represent zero and i-1— blocks within a second 

9 intermediate stream, respectively, the plaintext message 

10 having n+1 blocks and with 0 > i > n; and functions F and 

11 G are defined by the following equations: 

12 F(x) =ax + b ; and 

13 G (x) = cx + d 

14 where: a, b, c, d and e are each a predefined integer 

15 value, and a equals 0, 1 or ((i/2)+l). 

1 28. A computer readable medium having computer 

2 executable instructions stored therein for performing the 

3 steps of claim 13. 

1 29. Apparatus for encrypting a plaintext message (410) 

2 into a ciphertext message (451) such that, in response to 

3 contents of the ciphertext message itself, a subsequent 

4 violation to integrity of the ciphertext message can be 

5 detected, comprising: 

6 a processor (340) ; and 
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7 a memory (330) having computer executable 

8 instructions (120, 337) stored therein; 

9 wherein, in response to the stored instructions, the 

10 processor: 

11 generates, in response to the plaintext 

12 message, an intermediate stream (420) , a predefined 

13 portion of the intermediate stream defining a message 

14 authentication code (MAC) (422); 

15 inserts an encrypted version (445) of the MAC 

16 into a predefined portion of the ciphertext message; and 

17 generates, in response to the intermediate 

18 stream and the encrypted MAC, a remainder of the 

19 ciphertext message such that the remainder exhibits a 

20 predefined variation contained within the encrypted MAC. 

1 30. The apparatus of claim 29 wherein the processor, in 

2 response to the stored instructions: 

3 transforms the plaintext message through a first 

4 predefined chaining function (415) into the intermediate 

5 stream (420) ; 

6 encrypts the predefined portion of the intermediate 

7 stream, through a predetermined pseudo-random 

8 permutation, into the encrypted MAC (445) ; 

9 inserts the encrypted MAC into the predefined 

10 portion of the ciphertext message; and 

11 constructs the remainder of the ciphertext message 

12 through a second predefined chaining function and in 

13 response to both the remainder of the intermediate stream 

14 and the encrypted MAC such that a pseudo-random sequence 

15 in the encrypted MAC, the sequence being said predefined 
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variation, extends throughout the remainder of the 
ciphertext message . 

31. The apparatus in claim 30 wherein the first 
predefined chaining function comprises a first cyclic 
block cipher (CBC) . 

32. The apparatus in claim 31 wherein the first cyclic 
block cipher is a forward CBC. 

33. The apparatus in claim 32 wherein the forward CBC is 
calculated according to the following equations: 

for i = 0: Y 0 = F [ e a • Pq ], 

for even i within n: Y t = F [ (Y f _i ) + e a • P t ] and 
for odd i within n: Yf = G [ (Y^i ) + P t ] 
where: P 0 and Pi represent blocks zero and i within the 
plaintext message (P) , respectively, Y 0 and Y ± represent 
blocks zero and i within the intermediate stream, 
respectively, the plaintext message having n+1 blocks and 
with 0 > i > n; and functions F and G are defined by the 
following equations : 

F(x) =ax + b ; and 

G (x) =cx + d 

where: a, b, c, d and e are each a predefined integer 
value, and a equals 0, 1 or ((i/2)+l). 
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1 34. The apparatus in claim 31 wherein the forward CBC is 

2 calculated according to the following equations, where K 

3 is a second intermediate stream having n+1 blocks, Ki: 

4 for i = 0: 

5 Y 0 =F[P 0 ] 

6 Ko=G[P 0 ] 

7 for all i, n > i > 0: 

8 ^=^[(^-1) + Pi ]; and 

9 Ki=G[{Ki-x) + />/]; 

10 where: 

11 Y n =K n ; and 

12 Y n - X = j^K k ; and 

k = 0 

13 where: P 0 and Pi represent blocks zero and i within 

14 the plaintext message (P), respectively; Y 0/ Y± and Y n 

15 represent blocks zero, i and n within the intermediate 

16 stream, respectively; and K 0 , Ki and K n represent 

17 blocks 0, i and n within the second intermediate stream, 

18 respectively; and functions F and G are defined by the 

19 following equations: 

20 F(x) =ax + b ; and 

21 G (jc) =cx + d ; 

22 with a, b, c and d each being a predefined integer value. 



1 

2 
3 



35. The apparatus in claim 30 wherein the second 
predefined chaining function comprises either a stream 
cipher procedure or a second cyclic block cipher (CBC). 
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36. The apparatus in claim 25 wherein the second cyclic 
block cipher is a backward CBC. 

37. The apparatus in claim 36 wherein the backward CBC 
is calculated according to the following equations: 

for i = n-1: C n „x=F[e a Y n ^ ], 

for even i within 0 > i > n-1: C; = F [ (C/ + i) + e a Y t ] 

and 

for odd i within 0 > i > n-1: C/ = G [ (Q + i ) + Y t ] 
where: Ci and C n -! represent i— and n-1— blocks within the 
ciphertext message (C) , respectively, Y n and Yi represent 
n— and i— blocks within the intermediate stream, 
respectively, the ciphertext message having n+1 blocks 
and 0 > i > n; and functions F and G are defined by the 
following equations : 

F (x) = ax + b ; and 
G (x) =cx + d 

where: a, b, c, d and e are each a predefined integer 
value, and a equals 0, 1 or ((i/2)+l). 

38. The apparatus in claim 32 wherein the processor, in 
response to the stored instructions and through the 
stream cipher procedure: 

generates a cipher stream through a predefined 
stream cipher function in response to both the 
intermediate stream (420) and, as a seed to the stream 
cipher function, the encrypted MAC (445); and 
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8 combines, through a predetermined function (440) , 

9 each different block of the cipher stream with a 

10 corresponding different block of the intermediate stream 

11 so as to yield a corresponding different one of the 

12 blocks of the remainder of the ciphertext message. 

1 39. The apparatus in claim 30 wherein the processor, in 

2 response to the stored instructions, generates the 

3 encrypted MAC through use of DES (data encryption 

4 standard) . 

1 40. Apparatus for decrypting a ciphertext message (451) 

2 into a recovered plaintext message (490) and detecting 

3 whether integrity of the ciphertext message has been 

4 violated, comprising: 

5 a processor (340); and 

6 a memory (330) having computer executable 

7 instructions stored therein; 

8 wherein, in response to the stored instructions, the 

9 processor : 

10 removes, in response to an encrypted message 

11 authentication code (452) contained in a predefined 

12 portion of the ciphertext message, a predefined variation 

13 from a remainder of the ciphertext message so as to yield 

14 an intermediate stream (480) , the variation also being 

15 contained within the encrypted MAC; and 

16 determines the recovered plaintext message, as 

17 a predefined function of the intermediate stream and a 

18 decrypted version (473) of the encrypted MAC; 

19 generates, in response to the recovered 

20 plaintext message, a recovered MAC (493) therefrom; and 
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21 compares the values of the recovered MAC and 

22 tfte decrypted MAC so as to determine any discrepancy 

23 therebetween, whereby said discrepancy indicates that the 

24 ciphertext message has been altered prior to its 

25 decryption. 

1 41. The apparatus of claim 40 wherein the intermediate 

2 stream has a predefined portion and a remainder, and the 

3 processor, in response to the stored instructions: 

4 decrypts the predefined portion of the ciphertext 

5 message, through a predetermined inverse pseudo-random 

6 permutation, so as to yield the decrypted MAC (473) ; 

7 constructs the remainder of the intermediate stream, 

8 through a first predefined chaining function and in 

9 response to both the ciphertext stream and the encrypted 

10 MAC (452) , such that a pseudo-random sequence in the 

11 encrypted MAC has been removed from the remainder of the 

12 intermediate stream, the sequence being said predefined 

13 variation; 

14 inserts the decrypted MAC into the predefined 

15 portion of the intermediate stream; 

16 transforms the intermediate stream, through a second 

17 predefined chaining function, so as to yield the 

18 recovered plaintext message (490); and 

19 ascertains, through a third predefined chaining 

20 function and in response to the recovered plaintext 

21 message, the recovered MAC (493) therefrom. 



1 

2 
3 



42. The apparatus in claim 41 wherein the first 
predefined chaining function comprises either a first 
cyclic block cipher (CBC) or a stream cipher. 
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1 43. The apparatus in claim 42 wherein the first cyclic 

2 block cipher is a backward CBC. 

1 44. The apparatus in claim 43 wherein the backward CBC 

2 is calculated according to the following equations: 

3 for i = n-1: = ^ [ Cn ~ l 1 

4 for even i within 0 > i > n-1: 

5 $._ F- l UCj) - (C i+ i) ] 

1 a 

e 

A -1 

6 For odd i within 0 > i > n-1: 7/=G [(Q) - (C/ + i ) ] 

A A 

7 where: Y n -\ and 7/ represent n-1— and i— blocks within 

A 

8 the intermediate stream {Y ) , respectively, Ci and C i+ i 

9 represent i— and i+1— blocks within the ciphertext 

10 message, respectively r the ciphertext message having n+1 

11 blocks and with 0 > i > n; and functions F and G are 

12 defined by the following equations: 

13 F(x)=ax + b; and 

14 G (jc) =cx + d 

15 where: a, b, c, d and e are each a predefined integer 

16 value, and a equals 0, 1 or ((i/2)+l). 

1 45. The apparatus in claim 41 wherein the second 

2 predefined chaining function comprises a second cyclic 

3 block cipher (CBC) . 
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46. The apparatus in claim 45 wherein the second cyclic 
block cipher is a backward CBC. 

47. The apparatus in claim 46 wherein the backward CBC 
is calculated according to the following equations: 

A 



For i - 0: P 0 = F ~'" K <»] 



a 
e 

A ~ 1 A A 

For even i within n: P;= — 1 ( 7 * ) Z ( 7 z-l) 3 

A A A 

For odd i within n: P f =G [(7/) - (Xi-l) ] 

A A A 

where: Yo , Yi-\ and 7/ represent zero, i-1^ and i— 

A 

blocks within the intermediate stream (Y), respectively, 

A A 

P Q and Pi represent zero and i— blocks within the 

A 

recovered plaintext message (P), respectively, the 
plaintext message having n+1 blocks and 0 > i > n; and 
functions F and G are defined by the following equations: 

F(x) =ax + b ; and 

G (x) = cx + d 

where: a, b, c, d and e are each a predefined integer 
value, and a equals 0, 1 or ((i/2)+l). 



48. The apparatus in claim 43 wherein the processor, in 
response to the stored instructions: 

generates a cipher stream (465) through a predefined 
stream cipher function in response to both the ciphertext 
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5 message and, as a seed to the stream cipher function, the 

6 encrypted MAC (452) ; and 

7 combines, through a predetermined function (470) , 

8 each different block of the cipher stream with a 

9 corresponding different block of the ciphertext message 

10 so as to yield a corresponding different one of the 

11 blocks of the remainder of the intermediate stream. 

1 49. The apparatus in claims 38 or 48 wherein the 

2 predetermined function is an exclusive-OR operation. 

1 50. The apparatus in claims 38 or 48 wherein the 

2 predefined stream cipher function is an RC4 stream 

3 cipher. 

1 51. The apparatus in claim 41 wherein the processor, in 

2 response to the stored instructions, generates the 

3 decrypted MAC (473) through use of an inverse DES (data 

4 encryption standard) . 

1 52. The apparatus in claim 41 wherein, the third 

2 predefined chaining function comprises a first cyclic 

3 block cipher (CBC) . 

1 53. The apparatus in claim 52 wherein the first cyclic 

2 block cipher is a forward CBC. 

1 54. The apparatus in claim 53 wherein the forward CBC is 

2 calculated according to the following equations: 

A 

3 for i = 0 : Y 0 = F [ e a • Pq ] , 
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4 for even i within n: Yf = F + e a • Pj ] and 

_ A 

5 for odd i within n: Yj = G [ (Y^\ ) + P t ] 

6 where: P 0 and Pi represent blocks zero and i within the 

7 plaintext message (P) , respectively , Yq and Y(-\ 

8 represent zero and i-1— blocks within a second 

9 intermediate stream, respectively, the plaintext message 

10 having n+1 blocks and with 0 > i > n; and functions F and 

11 G are defined by the following equations: 

12 F(x)=ax + b; and 

13 G (jc) =a + rf 

14 where: a, b, c, d and e are each a predefined integer 

15 value, and a equals 0, 1 or ((i/2)+l). 

1 55. A method of generating a message authentication code 

2 (MAC) from a plaintext message (P) having n+1 blocks (Pi; 

3 where n > i > 0 and n is an integer) comprising the step 

4 of transforming the plaintext message through a 

5 predefined chaining operation into a first stream Y 

6 having n+1 blocks (Y±) , wherein a predefined portion of 

7 the first stream defines the MAC . 

1 56. The method in claim 55 wherein the predefined 

2 chaining function comprises a cyclic block cipher (CBC) 

3 and the portion comprises two successive blocks of the 

4 intermediate first stream appended together. 
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1 57. The method in claim 56 wherein the cyclic block 

2 cipher is a forward CBC and the two successive blocks are 

3 blocks Y n -i and Y n . 

1 58. The method in claim 57 wherein the forward CBC is 

2 calculated according to the following equations: 

3 for i - 0: Y 0 = F [ e a - P 0 ], 

4 for even i within n: Yf = F [ (J^-i ) + e a • P/ ] and 

5 for odd i within n: Y t = G [ ) + P% ] 

6 where: P 0 and Pi represent blocks zero and i within the 

7 plaintext message (P) , respectively, Y 0 and Y ± represent 

8 blocks zero and i within the first stream, respectively, 

9 the plaintext message having n+1 blocks and with 0 > i > 

10 n; and functions F and G are defined by the following 

11 equations: 

12 F(x) =ax + b ; and 

13 G (x) =cx + d 

14 where: a, b, c, d and e are each a predefined integer 

15 value and a equals 0, 1 or ((i/2)+l). 

1 59. The method in claim 57 wherein the forward CBC is 

2 calculated according to the following equations, where K 

3 is a second stream having n+1 blocks, K±: 

4 for i = 0: 

5 1-0 =^[^0] 

6 K 0 =G[P 0 ] 

7 for all i, n > i > 0: 

8 K / =F[(7 / _ 1 )+ Pi]; and 
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K i =G[{K i _ l ) + P f ); 

where : 

Y n = K n ; and 
n 

>t = 0 

where: P 0 and P ± represent blocks zero and i within 
the plaintext message (P) , respectively; Y 0 , Y± and Y n 
represent blocks zero, i and n within the first stream, 
respectively; and K 0 , Ki and K n represent blocks 0, i and 
n within the second stream, respectively; and functions F 
and G are defined by the following equations: 

F(x) =ax + b ; and 

G (x) = cx + d ; 

with a, b, c and d each being a predefined integer value. 

60 . A computer readable medium having computer 
executable instructions stored therein for performing the 
steps of claim 55. 

61. Apparatus for generating a message authentication 
code (MAC) (422) from a plaintext message (P) (410) 
having n+1 blocks (P*; where n > i > 0 and n is an 
integer) comprising: 

a processor (340) ; and 

a memory (330) having computer executable 
instructions (120, 337) stored therein; 

wherein, in response to the stored instructions, the 
processor : 
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transforms the plaintext message (410) through 
a predefined chaining operation into a first stream Y 
having n+1 blocks Y if wherein a predefined portion of the 
first stream defines the MAC. 

62. The apparatus in claim 61 wherein the predefined 
chaining function comprises a cyclic block cipher (CBC) 
and the portion comprises two successive blocks of the 
intermediate first stream appended together. 

63. The apparatus in claim 62 wherein the cyclic block 
cipher is a forward CBC and the two successive blocks are 
blocks Y n -i and Y n . 

64. The apparatus in claim 63 wherein the forward CBC is 
calculated according to the following equations: 

for i = 0 : Y 0 =F[e a *P 0 ], 

for even i within n: Yf = F [ (Yj-\ ) + e a • P/ ] and 

for odd i within n: Y t = G [ ) + P t ] 

where: P 0 and Pi represent blocks zero and i within the 
plaintext message (P), respectively, Y 0 and Y± represent 
blocks zero and i within the first stream, respectively, 
the plaintext message having n+1 blocks and with 0 > i > 
n; and functions F and G are defined by the following 
equations : 

F(x) - ax + b ; and 
G (x) = cx + d 
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14 where: a, b, c, d and e are each a predefined integer 

15 value and a equals 0, 1 or ((i/2)+l). 

1 65, The apparatus in claim 63 wherein the forward CBC is 

2 calculated according to the following equations, where K 

3 is a second stream having n+1 blocks, Kj.: 

4 for i = 0: 

5 Y 0 =F[P 0 ] 

6 K 0 =G[P 0 ] 

7 for all i, n > i > 0: 

8 ^=^[(^-1) + Pi ]; and 

9 */=G[(* / _i) + P t ]; 

10 where: 

11 Y n =K n ; and 

12 = j^K k ; and 
13 

14 where: P 0 and P ± represent blocks zero and i within 

15 the plaintext message (P), respectively; Y 0 , Y ± and Y n 

16 represent blocks zero, i and n within the first stream, 

17 respectively; and K 0 , K± and K n represent blocks 0, i and 

18 n within the second stream, respectively; and functions F 

19 and G are defined by the following equations: 

20 F(x) = ax + b; and 

21 G(x) =cx + d ; 

22 with a, b, c and d each being a predefined integer value. 



WO 99/55039 



1 / 8 



PCT/US99/08612 




WO 99/55039 



2 / 8 



PCT/US99/08612 



oo -<c 



oo 



3 

Ql. 



ro 



CO 
OO 



-co 



3 Ca-I =D 

O OO CD 
CD 3 



CO 



CD 



CO 



to 



CO 



<-> s 



3E-! 



CD 
CO 
CO 
Cj-I 

cd 



s 



CM 



_ . CO 
CN4 ^t" 



CO, 



CO 
CD 



CM 



cd 

§1 



ro LlJ 7^ 



!C3 

to 



CO 



I 



CD 



OO 

oo 



CD 
CD 



-CT> 



S oo 

LU 
Q C_D 

o 

CD OO 



CD 



c^j CD 



5 



WO 99/55039 



3 / 8 



PCT/US99/08612 



FIG. 4A 

ENCRYPTION 
PROCESS 



INCOMING PLAINTEXT, P 





Pi 











400 

/ 

410 



420 

INTERMEDIATE 
BIT STREAM, Y 



■A 



415—4 FORWARD CBC 



MESSAGE AUTHENTICATION 



427- 





h 


h 


• • • 


Yn-1 


Yn 


- — 422 









r 



430 



STREAM 
CIPHER 



424 



CODE 
-—423 



PSEUDO-RANDOM 
ENCRYPTION 
445 



'SEED" 



J S=SC(Y,(Yi_t,Y' n )) 



432 











so 


CO 


S2 




S„-2 











435 



437> S 0—' S n-2 

° — — -®(X-0R) 



442- 



J 



CO C n _2 



449 



OUTPUT CIPHERTEXT, C 



c 0 


Cl 


c 2 




Cn-1 


Cn 



COPY ENCRYPIEO MAC 
/52 (Y'.,,Y'„) 

_^ — 451 



(Wa> 



WO 99/55039 



5 / 8 



PCT/US99/08612 



FIG. 5 

ENCRYPTION PROCEDURE 
500 



ENTER 



i 



INITIALIZE: 
i-1 

Yo=F(e-.P;) 



INCOMING. PLAINTEXT, P 
-510 



r 



537 



INCREMENT i: 
i<- i+1 



S 

535 



CALCULATE INTERMEDIATE 
BIT STREAM: 

FOR EVEN i- r r, v s n i 

FOR ODD i: v rf , v . nl 
Yj= G[( Y i+1 )+PiJ 



534 



550 




525 



520 



ENCRYPTION- \f 
FORWARD CBC ; 
PROCEDURE 



GENERATE ENCRYPTED MAC: (Y^.i.Y') 
THROUGH PSEUDO-RANDOM 
PERMUTATION 0F(Y n _ 1 ,Y n ) > i.e., USING DES 
WITH q,b AS A KEY 



ENCRYPTION 
STREAM CIPHER 
PROCEDURE 



3 



540 



CALCULATE STREAM CIPHER, S, WITH 

(r n . h V n ) AS SEED AND Y 0 Y n _ 2 

CONCATENTED STRING AS OUTPUT TO 

YIELD n-2 B LOCKS, i.e. S 0 ,..,S n - 2 



555 



GENERATE n-1 BLOCKS OF CIPHERTEXT, C, i.e. 
Co,...,C n -2AS EXCLUSIVE OR COMBINATION 
OF CORRESPONDING BLOCKS: Y 0 ,...,Y n -2 AND 
S0,...,Sn-2- , CrYi©Si FOR ALL i=0 to n-2 



3 



560 



i 



APPEND ENCRYPTED MAC^/r^JO CIPHERTEXT 
STREAM, C, IN N-1: AND N POSITIONS TO 
YIELD COMPLETE CIPHERTEXT MESSAGE, C 



I 



570 



PROVIDE CIPHERTEXT MESSAGE, C, AS OUTPUT 



580 



EXIT 



WO 99/55039 



6 / 8 



PCT/US99/08612 



FIG. 6 

ENCRYPTION- 
BACKWARD CBC 
PROCEDURE 
600 



ENTER 



645 



iNillAUZt: 
i<- n— 1 

~T~ 



CALCULATE: 
Cn=F(eY n ) 



DECREMENT i: 

i«-H 



V 
640 



610 
615 



CALCULATE CIPHERTEXT: 
FOR EVEN i 

C i =F[(C i+1 )+eY i ] 
FOR ODD i r/ 

C i= G[(c i+1 )+ Yi ] 



T 

633 



FIG. 8 

DECRYPTION- 
BACKWARD CBC 
PROCEDURE 
800 




845 



ENTER 



INITIALIZE: 
i<-0 



810 



INCREMENT i: 
i«-i+1 



840 



CALCUUTE INTERMEDIATE 
BIT STREAM Y: _ 1r 

FOR ODD i e 

Yi=G" 1 [c r C H ] 



620 




820 



— Hg)EXIT 



WO 99/55039 



7 / 8 



PCT/US99/08612 



FIG. 7 A 

DECRYPTION 
PROCEDURE 

700 



ENTER 

(8 INCOMING CIPHERTEXT, C 



DECRYPT MAC (Y^.Y^) IN N-1 AND N 

BLOCKS IN CIPHERTEXT (C) USING 
INVERSE PSEUDO-RANDOM 
PERMUTATION, e.g. USING INVERSE DES 
WITH (a,b) AS A KEY, TO YIELD 

(Wn) 



r 



DECRYPTION 
STREAM CIPHER 
PROCEDURE 
710 



CALCULATE STREAM CIPHER, % WITH 
ENCRYPTED MAC (Y^.Y,;) AS SEED AND 
CIPHERTEXT STREAM (Cj, i=0,...,n-2) 
AS INPUT TO YIELD n-1 BLOCKS, i.e. 
s 0 »•••» s n-2 



GENERATE n-2 BLOCKS OF INTERMEDIATE 
BIT STREAM, Y, AS EXCLUSIVE OR 

COMBINATION OF CORRESPONDING BLOCKS: 
OF CIPHERTEXT, C 0 ,...,C n _ 2 AND 

STREAM CIPHER S 0 V 2 ,i.e. 

YrCi©§iFOR ALL i=0,...,n-2 



l_. 











APPEND DECRYPTED MAC, ?„, TO n-1 AND 
n* POSITIONS OF Y 



INTERNATIONAL SEARCH REPORT 



C.(Contlnuatton) DOCUMENTS CONSIDERED TO BE RELEVANT 



national Application No 

PCT/US 99/08612 



Category • Citation ol document, with indication. where appropriate, of the relevant passages 



Relevant to daim No. 



US 5 615 264 A (KAZMIERCZAK ET AL.) 
25 March 1997 (1997-03-25) 
column 6, last paragraph - column 7, line 
27 

column 8, line 48 - line 52 
column 11, line 19 - line 32 



1,13,29, 
40 



Form PCT/IS A/210 (continuation ol second sheet) (July 1992) 



page 2 of 



2 



INTERNATIONAL SEARCH REPORT 

Information on patent family members 



national Application No 

PCT/US 99/08612 



Patent document 
cited in search report 



Publication 
date 



Patent family 
member(s) 



Publication 
date 



US 5319710 



US 5615264 



07-06-1994 



EP 
AU 
CA 
DE 
DE 



0678836 
664823 

1340092 
69407952 
69407952 



25-03-1997 



AU 
EP 
WO 
US 



6635396 A 
0836774 A 
9642153 A 
5764762 A 



25-10-1995 
07-12-1995 
20-10-1995 
19-02-1998 
03-09-1998 



09-01-1997 
22-04-1998 
27-12-1996 
09-06-1998 



Form PCT/IS A/210 (patent famfly annex) (July 1992) 



t " ./ 



THIS RAGE BLANK 



(USPTO) 



